1
00:00:00,850 --> 00:00:07,060
So in this regard, we are going to talk about this tachycardic some external entity, so this is based

2
00:00:07,570 --> 00:00:15,120
on this XML parsers, so frustrated about this, uh, uh, uh, file format.

3
00:00:16,090 --> 00:00:18,510
So let's first learn about this.

4
00:00:18,770 --> 00:00:22,180
What is summer XML stands for Extensible Markup.

5
00:00:22,180 --> 00:00:30,340
Language is a markup language just like Yamal, but there are already predefined tax manage to end paragraph,

6
00:00:30,340 --> 00:00:31,270
anchor, etc.

7
00:00:31,480 --> 00:00:34,360
But this is a user base.

8
00:00:35,810 --> 00:00:41,940
I mean, you can use the custom tags in place of those, uh, H1, H2, etc..

9
00:00:42,640 --> 00:00:44,950
So why do you want these custom tags.

10
00:00:45,640 --> 00:00:49,290
Uh, you need to use it for storing and transporting data supports.

11
00:00:49,360 --> 00:00:57,340
If you want to send this data you can see here, uh, mail and the CPU, Furkan.

12
00:00:57,340 --> 00:01:02,170
And from this subject about Xixi actually is going to be toward Xixi.

13
00:01:02,620 --> 00:01:04,440
So you're going to see the main has been closer.

14
00:01:04,600 --> 00:01:06,730
You can see this, uh, similar to this.

15
00:01:07,570 --> 00:01:12,260
There is a paragraph in the body and this is the text and the data.

16
00:01:12,910 --> 00:01:23,050
So what this does is they will extract this, uh, this top, uh, element and then they will extract

17
00:01:23,050 --> 00:01:25,870
the next element and then they will accept the data and say this.

18
00:01:26,020 --> 00:01:27,930
So they will form a tree like structure.

19
00:01:28,490 --> 00:01:33,640
I will show you Java XML parser.

20
00:01:35,790 --> 00:01:37,140
So.

21
00:01:41,300 --> 00:01:44,240
So let me show you how the pass.

22
00:01:47,380 --> 00:01:50,380
So one day they will pass regulatory structure.

23
00:01:50,440 --> 00:01:58,150
They will go from the top of the element to the family tree, from the subelements and then into the

24
00:01:58,150 --> 00:01:58,750
subelements.

25
00:01:59,170 --> 00:02:04,050
If there are any supplements, they will from another node and they will finally extract the little.

26
00:02:06,130 --> 00:02:12,960
So this will be the example you can see there is a class and inside the class there are students information.

27
00:02:12,970 --> 00:02:17,290
You can see student at about 3:00 and 4:00 a.m. and MOCs.

28
00:02:17,740 --> 00:02:27,130
So this is used to store the student information and on the other servers are a receiver so that you

29
00:02:27,130 --> 00:02:31,310
can just use this password to get the all the information.

30
00:02:31,570 --> 00:02:39,270
So why this symbol means different Web services runs on different of several languages.

31
00:02:39,470 --> 00:02:44,170
Suppose you may build up a website using the BHP and someone may build up using PAIDA.

32
00:02:44,290 --> 00:02:51,760
So in order to exchange this data, this example is very suitable because it's not programming independent

33
00:02:51,940 --> 00:02:54,040
and you can just it's like markup language.

34
00:02:54,040 --> 00:03:00,440
You can just, uh, use this data and send it to any application and you need one programming language.

35
00:03:00,490 --> 00:03:01,390
There are parts.

36
00:03:01,630 --> 00:03:06,270
So now I'm showing you this XML XML parser.

37
00:03:06,490 --> 00:03:15,070
So don't perceptual, uh, person based on these objects and we can extract the data from this.

38
00:03:15,070 --> 00:03:23,980
So each program does have its XML parcels and then we get the data from all to the Web server so that

39
00:03:23,980 --> 00:03:26,320
Serbo this summer basics.

40
00:03:26,710 --> 00:03:28,510
Now let's go into this.

41
00:03:28,510 --> 00:03:30,820
Uh Xixi at.

42
00:03:32,750 --> 00:03:38,100
So no external entity attack is one of the biggest features of our policies.

43
00:03:38,240 --> 00:03:45,020
So whenever this somebody is going to pass on the data and we will inject a period in this data such

44
00:03:45,020 --> 00:03:54,060
that XML parser on executing the payload will redefine or will be the server you going even performance

45
00:03:54,060 --> 00:03:54,880
here of.

46
00:03:55,370 --> 00:03:57,680
So it's just sort of attack.

47
00:03:58,220 --> 00:04:01,640
So this is the actual sea attack or you.

48
00:04:02,030 --> 00:04:09,170
And there are two types of these Xixi attacks in urban environments that I get to refer to immediately.

49
00:04:09,650 --> 00:04:11,600
Let me respond to that.

50
00:04:11,640 --> 00:04:17,830
Uh, to the victim, to us and open access the attacks.

51
00:04:17,840 --> 00:04:21,470
Uh, we need to output to some other file and we need to use that.

52
00:04:22,970 --> 00:04:24,920
So those are the two types of attacks.

53
00:04:26,610 --> 00:04:33,000
Um, so why do you think someone would have already seen so one important thing I need to mention is

54
00:04:33,100 --> 00:04:41,460
X validation using digital delivery stands for document data definition and this document type definition

55
00:04:41,460 --> 00:04:44,170
defines how XML format should be.

56
00:04:44,190 --> 00:04:49,320
So there is, uh, this is called rudiment and this is called, uh, child element.

57
00:04:49,740 --> 00:04:54,600
And then you can see there are two elements or two from subject text, and this is called data.

58
00:04:57,460 --> 00:05:05,670
And now, as you can see, this is, uh, similar what I have told, so now they're asking some questions.

59
00:05:05,670 --> 00:05:10,960
So let's try to answer those Exemestane then Cebull.

60
00:05:13,290 --> 00:05:14,400
I'm Marco.

61
00:05:17,110 --> 00:05:27,680
Language, so is it compulsory to her and so she's just to a good practice, but it's not mandatory.

62
00:05:28,860 --> 00:05:33,030
Can we read it some documents just so that is going to the schema?

63
00:05:33,310 --> 00:05:34,540
And there are some tools.

64
00:05:34,540 --> 00:05:40,670
You can add the digital schema and then that will be a disclaimer.

65
00:05:42,620 --> 00:05:50,810
So this reminds me of Armi, this dialogue versus when I had my Java course on my college, then it's

66
00:05:50,900 --> 00:05:57,350
very hard to just to extract a small XML document into the data.

67
00:05:57,350 --> 00:06:00,350
So you get all this using the objects.

68
00:06:00,470 --> 00:06:02,660
The objects are determined by acceptable.

69
00:06:03,350 --> 00:06:04,640
So this is in Java.

70
00:06:04,640 --> 00:06:05,450
It's very hard.

71
00:06:05,970 --> 00:06:13,670
I don't know this XML parsing in Python, but I think it's very easy because Python is very easy, readable

72
00:06:13,670 --> 00:06:15,460
and readable then Java.

73
00:06:16,790 --> 00:06:21,830
So can you work some version and coding and XML?

74
00:06:26,270 --> 00:06:29,240
So that's, I think, some version.

75
00:06:31,910 --> 00:06:37,640
So can you switch to someone version and so when you to do the starting axman version is close to one

76
00:06:37,640 --> 00:06:38,450
point zero.

77
00:06:41,630 --> 00:06:47,490
So let me come to this questioning after doing some other tasks.

78
00:06:48,500 --> 00:06:55,220
So let's talk about this DTD document type definition and define the structure and legal elements of

79
00:06:55,220 --> 00:06:56,680
attributes of, for example, document.

80
00:06:57,260 --> 00:07:05,390
So if this is wrong, then our XML parser will just give us an error that, uh, these elements are

81
00:07:05,390 --> 00:07:06,550
not in the character.

82
00:07:07,250 --> 00:07:09,830
So let's take this note of this.

83
00:07:09,830 --> 00:07:13,940
You can see not and in this note there, we have three children.

84
00:07:14,150 --> 00:07:16,700
So reforged elements, two from hurting anybody.

85
00:07:16,910 --> 00:07:20,870
And each child would have some that are very confused taking Xixi.

86
00:07:22,010 --> 00:07:28,010
So as you can see, duct tape, duct tape, which stands for rope, this is the root, not notice the

87
00:07:28,010 --> 00:07:28,820
root null.

88
00:07:29,360 --> 00:07:36,500
And then we have this element not so we are describing what are the subelements, other elements of

89
00:07:36,500 --> 00:07:36,950
this note.

90
00:07:37,430 --> 00:07:43,520
And the third elements of this note are from hitting and we can see two from hitting bottom.

91
00:07:43,670 --> 00:07:51,220
And we need to specify the, uh, what is the whatever that is called in this in between, these two

92
00:07:51,280 --> 00:07:58,340
elements can see 11 to two different pieces that you can see pieces that are here means possible character

93
00:07:58,350 --> 00:08:00,770
that are simply ASCII values.

94
00:08:01,520 --> 00:08:08,140
And two pieces that are from heading and body are defined as pieces that are so unique, so many to

95
00:08:08,150 --> 00:08:09,130
simply strings.

96
00:08:10,340 --> 00:08:12,240
So we have a root note.

97
00:08:12,260 --> 00:08:17,570
And in that note, we are defining, uh, for change elements.

98
00:08:18,500 --> 00:08:25,770
Those consist of are the strings as, uh, that are that are so you can import.

99
00:08:25,790 --> 00:08:32,960
So this has some texture and you can just give it to to to take this example.

100
00:08:32,990 --> 00:08:40,700
So if there is another element to suppose sample, uh, sample, then it will fit because we have to

101
00:08:40,700 --> 00:08:42,490
find only four elements.

102
00:08:42,500 --> 00:08:49,340
But if there is another element, then that producer you can see here, DOCTYPE defines a root and element.

103
00:08:50,330 --> 00:08:53,300
And these are the detailed elements of this group.

104
00:08:54,530 --> 00:08:57,080
So how do you define a new element?

105
00:08:58,890 --> 00:08:59,810
How to define.

106
00:09:01,420 --> 00:09:03,920
Rudiment is using this, adopting.

107
00:09:08,830 --> 00:09:10,740
How will we find new entry?

108
00:09:13,580 --> 00:09:14,710
I think this is element.

109
00:09:18,360 --> 00:09:27,290
Yes, I just confused between this and tenantry, so entity is also like, uh, scoring available.

110
00:09:27,570 --> 00:09:31,320
Now let's see what water Xixi pillories.

111
00:09:33,090 --> 00:09:41,670
Now, let's see carefully here in this data, the special characters are not like quotations, uh,

112
00:09:41,670 --> 00:09:48,540
backwards and forwards, rashes, etc. Those are not allowed know how to implement those special characters

113
00:09:48,540 --> 00:09:57,820
in the data means you need to specify that we will see need to say and name and interface with the fish.

114
00:09:58,080 --> 00:10:04,130
So whenever I use the ampersand name, then that fish value will be placed at the time.

115
00:10:04,130 --> 00:10:09,570
Want the XML parsing it like an external entry to this node.

116
00:10:09,990 --> 00:10:14,250
And we are defining some variables here and we have to find never will.

117
00:10:14,280 --> 00:10:16,350
And it contains the fish value.

118
00:10:16,650 --> 00:10:23,580
So whenever I use this ampersand name, uh, semicolon, then this fish will get to replace it here.

119
00:10:24,300 --> 00:10:31,020
Whenever XML parser on this ampersand name, it will go, it will go and take this and this and it has

120
00:10:31,020 --> 00:10:32,760
the name entity which is the very first.

121
00:10:32,910 --> 00:10:35,230
So this fish value will get splicer here.

122
00:10:36,690 --> 00:10:43,170
So in the same way, what if I just take this, uh, system, uh, file etsi puzzle so you can see if

123
00:10:43,380 --> 00:10:50,610
this is the protocol and it turns XML parser to read the contents are to get the contents from this

124
00:10:50,610 --> 00:10:51,000
file.

125
00:10:51,000 --> 00:10:52,410
Switchfoot, it's impossible.

126
00:10:53,160 --> 00:10:59,110
So this system is that you need to search in the system and search for the file at possibility.

127
00:10:59,700 --> 00:11:02,280
So I'm just using the route and present.

128
00:11:02,940 --> 00:11:08,500
So this really defines to this entity, which is to read the system for positively.

129
00:11:09,810 --> 00:11:15,990
So that's I think I hope you have understood that what these are these guys are saying here.

130
00:11:16,350 --> 00:11:19,900
Let me now let's go an expert in this.

131
00:11:19,920 --> 00:11:23,700
I have already run this server and open this machine.

132
00:11:27,010 --> 00:11:33,810
So now I have gone gone into this home and we have this better area now, we can submit our payload,

133
00:11:34,510 --> 00:11:37,030
you can also go to the Xixi payloads.

134
00:11:37,040 --> 00:11:44,040
And at this getup, you have so many parents here and you can see the basic example to get the information,

135
00:11:44,050 --> 00:11:48,800
John Doe and simple entity John Doe.

136
00:11:49,360 --> 00:11:52,170
So let me show you this, how it works.

137
00:11:52,600 --> 00:11:54,190
Now, the output will be Jundal.

138
00:11:56,350 --> 00:12:06,010
Because it takes the dawn value and then it goes and as, for example, variabilities, so we're going

139
00:12:06,020 --> 00:12:07,300
to put this Dundar.

140
00:12:10,760 --> 00:12:11,840
No.

141
00:12:14,620 --> 00:12:20,080
We can also see the same, but we can see that at Sea Shadowfax.

142
00:12:21,550 --> 00:12:30,130
And Shotover consists of hashes for users, so we I think we don't have access to the server, don't

143
00:12:30,130 --> 00:12:38,580
have access to the shuttle and you can also perform this dangerous service using all these, uh, uh,

144
00:12:38,980 --> 00:12:40,190
random junk data.

145
00:12:40,330 --> 00:12:42,060
So we are not going to do that.

146
00:12:43,330 --> 00:12:47,200
So try to display your own name using axes, using any Perl.

147
00:12:48,940 --> 00:12:51,310
So let me call with DISPELL or.

148
00:12:54,120 --> 00:13:00,930
And then writing copy paste it in here, let me change it to.

149
00:13:07,190 --> 00:13:14,090
And then I'm going to change this to Nicole, so let me start with this, and you can see my name has

150
00:13:14,090 --> 00:13:15,260
been successfully.

151
00:13:17,090 --> 00:13:22,130
So let me click on this computer, see if you can read that possibly.

152
00:13:25,030 --> 00:13:25,540
Sorry.

153
00:13:28,450 --> 00:13:34,150
So it's covid is exceptional and it does replace this shot of stability.

154
00:13:38,810 --> 00:13:39,590
Sodium, sodium.

155
00:13:42,900 --> 00:13:45,300
Let's pass, that will be.

156
00:13:47,680 --> 00:13:51,730
And there you can see the contents of this possibility has been displayed.

157
00:13:54,410 --> 00:14:03,230
And you can see there is a user name calling for an end user group and some information are home for

158
00:14:03,440 --> 00:14:12,530
is the author of this FAQ on user NIBIN, Banshee's The Shell, which can be used by the fact that we

159
00:14:12,530 --> 00:14:14,090
got some information.

160
00:14:14,360 --> 00:14:15,650
What is the name of the user?

161
00:14:15,660 --> 00:14:17,480
Netivot, which is Furqan?

162
00:14:19,800 --> 00:14:29,770
And where is the arrogance as you look at it so it's easy to get in and let me show you in a home for

163
00:14:30,270 --> 00:14:30,690
home.

164
00:14:32,410 --> 00:14:37,000
Of our second and third associate.

165
00:14:38,190 --> 00:14:46,430
So I would underscore say this is a private key for this, uh, Furqan user, let me submit this and

166
00:14:46,430 --> 00:14:50,190
then we got this, uh, private key for this Furqan user.

167
00:14:51,710 --> 00:14:53,810
So let me copy this part.

168
00:14:54,440 --> 00:14:57,380
Sorry, but it will be manually.

169
00:14:59,070 --> 00:15:05,700
Home Phalcon bought a Secich and highly underscore Arissa.

170
00:15:08,410 --> 00:15:12,050
So what what are the frustrating items from the Falcons key?

171
00:15:13,090 --> 00:15:15,880
So let me copy a bunch of these characters.

172
00:15:16,670 --> 00:15:20,910
I think these are more than willing to let me open a Python interpreter.

173
00:15:22,340 --> 00:15:25,430
So it's easy to see.

174
00:15:25,730 --> 00:15:34,460
So I'm just quoting it as a and what I will do is I want to ask from Dero to 70, which is the 18 Karatas.

175
00:15:34,790 --> 00:15:38,390
So non-literary with the syntax I would expect in the Python section.

176
00:15:39,200 --> 00:15:40,960
Now we have got the fascinating characters.

177
00:15:41,240 --> 00:15:45,640
So these are like indexers do makes one, two, three, four and so on to something.

178
00:15:45,650 --> 00:15:46,550
Is that fascinating?

179
00:15:46,550 --> 00:15:50,690
Characters write this and submit this.

180
00:15:51,860 --> 00:15:54,650
So we have successfully completed this room.

181
00:15:55,700 --> 00:15:57,800
Uh, sorry, this just part.

182
00:16:00,720 --> 00:16:09,330
So what we'll learn is when there is an answer and when it's going to pass this to define an external

183
00:16:09,330 --> 00:16:16,500
entity and you can just, uh, put the file name you want to read, and then you need to, uh, set

184
00:16:16,500 --> 00:16:17,630
the ampersand variable.

185
00:16:17,970 --> 00:16:25,050
So whenever that's been read by the actual, then it will read the, uh, system file and the contents

186
00:16:25,050 --> 00:16:25,720
will be displayed.

187
00:16:27,030 --> 00:16:32,490
So I hope you understood this is what you need to know about this XML external entity.

188
00:16:32,490 --> 00:16:41,330
And, uh, I also advise you to check out this pilot and perform all these, uh, dinner service.

189
00:16:41,360 --> 00:16:49,170
And Arafeh local fare includes an extra grassers at Google and, uh, uh, for other actors, pyrates.